Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20/09/2024, 04:21
Static task
static1
Behavioral task
behavioral1
Sample
wpsupdate.msi
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
wpsupdate.msi
Resource
win10v2004-20240802-en
General
-
Target
wpsupdate.msi
-
Size
26.2MB
-
MD5
6172dbd24d1ccc413437ee5d9f38a750
-
SHA1
4c24165e5d375ecaf5b5c49d831e48f70833bcfa
-
SHA256
8e599267e624e8865dc1377d533cbbed11a53d18cb3de3946e62e5887b06b641
-
SHA512
362432449d23d40fa0d2ccf27e608e063b083d23da9fa1c3ad10cf3772763421859fa91bf2c3bbd257f1a8e8ef723930dd758d009ff0cfbaf4be96316dd0fc0d
-
SSDEEP
786432:HURQ1YYrOtsAdzpQof4c01tYhGYrmeGY3TT5:H2sRzeI8iCT5
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/4500-74-0x000000002B760000-0x000000002B91B000-memory.dmp purplefox_rootkit behavioral2/memory/4500-76-0x000000002B760000-0x000000002B91B000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 2 IoCs
resource yara_rule behavioral2/memory/4500-74-0x000000002B760000-0x000000002B91B000-memory.dmp family_gh0strat behavioral2/memory/4500-76-0x000000002B760000-0x000000002B91B000-memory.dmp family_gh0strat -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: TpuaDVwAtO28.exe File opened (read-only) \??\Z: TpuaDVwAtO28.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\P: TpuaDVwAtO28.exe File opened (read-only) \??\R: TpuaDVwAtO28.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\L: TpuaDVwAtO28.exe File opened (read-only) \??\M: TpuaDVwAtO28.exe File opened (read-only) \??\Q: TpuaDVwAtO28.exe File opened (read-only) \??\V: TpuaDVwAtO28.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: TpuaDVwAtO28.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: TpuaDVwAtO28.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: TpuaDVwAtO28.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\N: TpuaDVwAtO28.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: TpuaDVwAtO28.exe File opened (read-only) \??\J: TpuaDVwAtO28.exe File opened (read-only) \??\T: TpuaDVwAtO28.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: TpuaDVwAtO28.exe File opened (read-only) \??\Y: TpuaDVwAtO28.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: TpuaDVwAtO28.exe File opened (read-only) \??\X: TpuaDVwAtO28.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: TpuaDVwAtO28.exe File opened (read-only) \??\U: TpuaDVwAtO28.exe File opened (read-only) \??\X: msiexec.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 wpsupdate.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created C:\Program Files\GuidePortalRapid\Aspose.Pdf.dll msiexec.exe File opened for modification C:\Program Files\GuidePortalRapid\TpuaDVwAtO28.exe FFGLWmUerQTM.exe File created C:\Program Files\GuidePortalRapid\TpuaDVwAtO28.exe FFGLWmUerQTM.exe File opened for modification C:\Program Files\GuidePortalRapid TpuaDVwAtO28.exe File created C:\Program Files\GuidePortalRapid\tTKiMHhNtqSk.xml FFGLWmUerQTM.exe File created C:\Program Files\GuidePortalRapid\tTKiMHhNtqSk.exe FFGLWmUerQTM.exe File opened for modification C:\Program Files\GuidePortalRapid\tTKiMHhNtqSk.exe FFGLWmUerQTM.exe File opened for modification C:\Program Files\GuidePortalRapid\tTKiMHhNtqSk.wrapper.log tTKiMHhNtqSk.exe File opened for modification C:\Program Files\GuidePortalRapid\tTKiMHhNtqSk.wrapper.log tTKiMHhNtqSk.exe File opened for modification C:\Program Files\GuidePortalRapid\tTKiMHhNtqSk.wrapper.log tTKiMHhNtqSk.exe File created C:\Program Files\GuidePortalRapid\FFGLWmUerQTM.exe msiexec.exe File created C:\Program Files\GuidePortalRapid\wLzlKRWUCYQcfFYfQuoA msiexec.exe File created C:\Program Files\GuidePortalRapid\wpsupdate.exe msiexec.exe File opened for modification C:\Program Files\GuidePortalRapid\tTKiMHhNtqSk.xml FFGLWmUerQTM.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File created C:\Windows\Installer\SourceHash{23F1BC36-6B08-40DD-A32A-E7BA31F7379D} msiexec.exe File opened for modification C:\Windows\Installer\MSICFC3.tmp msiexec.exe File created C:\Windows\Installer\e57cecb.msi msiexec.exe File created C:\Windows\Installer\e57cec9.msi msiexec.exe File opened for modification C:\Windows\Installer\e57cec9.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe -
Executes dropped EXE 8 IoCs
pid Process 4980 FFGLWmUerQTM.exe 4584 TpuaDVwAtO28.exe 4920 wpsupdate.exe 4696 tTKiMHhNtqSk.exe 4708 tTKiMHhNtqSk.exe 2876 tTKiMHhNtqSk.exe 3428 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 3216 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FFGLWmUerQTM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TpuaDVwAtO28.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wpsupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TpuaDVwAtO28.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TpuaDVwAtO28.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b58935fac5ebb7730000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b58935fa0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900b58935fa000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1db58935fa000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b58935fa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TpuaDVwAtO28.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TpuaDVwAtO28.exe -
Modifies data under HKEY_USERS 28 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\khdinfo\InfoLastHardInfo wpsupdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common wpsupdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0 wpsupdate.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\khdinfo\InfoCurHardInfo = "29a56b8a14940c3acb7a4a6443907c56|77dc1d9a9e2694fdf777c34f21cb01e9" wpsupdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections wpsupdate.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" TpuaDVwAtO28.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office wpsupdate.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHD3_C = "4503c3c9913b1b2bbb9b8ae31dd06f56" wpsupdate.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHD = "4503c3c9913b1b2bbb9b8ae31dd06f56" wpsupdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings MsiExec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\khdinfo\InfoHDModifiedType = "hdidRecalByOldHdidFromRegIsEmpty|2024-9-20" wpsupdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E TpuaDVwAtO28.exe Key created \REGISTRY\USER\.DEFAULT\Software\Kingsoft wpsupdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\khdinfo wpsupdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" TpuaDVwAtO28.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHDt = "20" wpsupdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHD3t = "20" wpsupdate.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHD3Verify_C = 32003000320034002d0039002d00320030007c00570044004300200032002e0035002b00320033003200310033003800380030003400310036003500200020002000200020002000200020007c00430036002d00310035002d00330037002d00450043002d00380042002d00340034000000 wpsupdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software wpsupdate.exe -
Modifies registry class 22 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9255E7775B746E544994284282C6D9E4 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9255E7775B746E544994284282C6D9E4\63CB1F3280B6DD043AA27EAB137F73D9 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63CB1F3280B6DD043AA27EAB137F73D9\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63CB1F3280B6DD043AA27EAB137F73D9\PackageCode = "32B8F39D4469AE64A860107226DE41EF" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63CB1F3280B6DD043AA27EAB137F73D9\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63CB1F3280B6DD043AA27EAB137F73D9\ProductName = "GuidePortalRapid" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63CB1F3280B6DD043AA27EAB137F73D9\Language = "1033" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63CB1F3280B6DD043AA27EAB137F73D9\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63CB1F3280B6DD043AA27EAB137F73D9\SourceList\PackageName = "wpsupdate.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\63CB1F3280B6DD043AA27EAB137F73D9 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63CB1F3280B6DD043AA27EAB137F73D9 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63CB1F3280B6DD043AA27EAB137F73D9\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63CB1F3280B6DD043AA27EAB137F73D9\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63CB1F3280B6DD043AA27EAB137F73D9\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\63CB1F3280B6DD043AA27EAB137F73D9\ProductFeature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63CB1F3280B6DD043AA27EAB137F73D9\AuthorizedLUAApp = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63CB1F3280B6DD043AA27EAB137F73D9\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63CB1F3280B6DD043AA27EAB137F73D9\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63CB1F3280B6DD043AA27EAB137F73D9\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63CB1F3280B6DD043AA27EAB137F73D9\Clients = 3a0000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63CB1F3280B6DD043AA27EAB137F73D9\Version = "33751044" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63CB1F3280B6DD043AA27EAB137F73D9\Assignment = "1" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 592 msiexec.exe 592 msiexec.exe 4920 wpsupdate.exe 4920 wpsupdate.exe 4920 wpsupdate.exe 4920 wpsupdate.exe 4584 TpuaDVwAtO28.exe 4584 TpuaDVwAtO28.exe 2876 tTKiMHhNtqSk.exe 2876 tTKiMHhNtqSk.exe 3428 TpuaDVwAtO28.exe 3428 TpuaDVwAtO28.exe 3428 TpuaDVwAtO28.exe 3428 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe 4500 TpuaDVwAtO28.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3216 msiexec.exe Token: SeIncreaseQuotaPrivilege 3216 msiexec.exe Token: SeSecurityPrivilege 592 msiexec.exe Token: SeCreateTokenPrivilege 3216 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3216 msiexec.exe Token: SeLockMemoryPrivilege 3216 msiexec.exe Token: SeIncreaseQuotaPrivilege 3216 msiexec.exe Token: SeMachineAccountPrivilege 3216 msiexec.exe Token: SeTcbPrivilege 3216 msiexec.exe Token: SeSecurityPrivilege 3216 msiexec.exe Token: SeTakeOwnershipPrivilege 3216 msiexec.exe Token: SeLoadDriverPrivilege 3216 msiexec.exe Token: SeSystemProfilePrivilege 3216 msiexec.exe Token: SeSystemtimePrivilege 3216 msiexec.exe Token: SeProfSingleProcessPrivilege 3216 msiexec.exe Token: SeIncBasePriorityPrivilege 3216 msiexec.exe Token: SeCreatePagefilePrivilege 3216 msiexec.exe Token: SeCreatePermanentPrivilege 3216 msiexec.exe Token: SeBackupPrivilege 3216 msiexec.exe Token: SeRestorePrivilege 3216 msiexec.exe Token: SeShutdownPrivilege 3216 msiexec.exe Token: SeDebugPrivilege 3216 msiexec.exe Token: SeAuditPrivilege 3216 msiexec.exe Token: SeSystemEnvironmentPrivilege 3216 msiexec.exe Token: SeChangeNotifyPrivilege 3216 msiexec.exe Token: SeRemoteShutdownPrivilege 3216 msiexec.exe Token: SeUndockPrivilege 3216 msiexec.exe Token: SeSyncAgentPrivilege 3216 msiexec.exe Token: SeEnableDelegationPrivilege 3216 msiexec.exe Token: SeManageVolumePrivilege 3216 msiexec.exe Token: SeImpersonatePrivilege 3216 msiexec.exe Token: SeCreateGlobalPrivilege 3216 msiexec.exe Token: SeBackupPrivilege 4108 vssvc.exe Token: SeRestorePrivilege 4108 vssvc.exe Token: SeAuditPrivilege 4108 vssvc.exe Token: SeBackupPrivilege 592 msiexec.exe Token: SeRestorePrivilege 592 msiexec.exe Token: SeRestorePrivilege 592 msiexec.exe Token: SeTakeOwnershipPrivilege 592 msiexec.exe Token: SeRestorePrivilege 592 msiexec.exe Token: SeTakeOwnershipPrivilege 592 msiexec.exe Token: SeBackupPrivilege 4876 srtasks.exe Token: SeRestorePrivilege 4876 srtasks.exe Token: SeSecurityPrivilege 4876 srtasks.exe Token: SeTakeOwnershipPrivilege 4876 srtasks.exe Token: SeBackupPrivilege 4876 srtasks.exe Token: SeRestorePrivilege 4876 srtasks.exe Token: SeSecurityPrivilege 4876 srtasks.exe Token: SeTakeOwnershipPrivilege 4876 srtasks.exe Token: SeRestorePrivilege 592 msiexec.exe Token: SeTakeOwnershipPrivilege 592 msiexec.exe Token: SeRestorePrivilege 592 msiexec.exe Token: SeTakeOwnershipPrivilege 592 msiexec.exe Token: SeRestorePrivilege 592 msiexec.exe Token: SeTakeOwnershipPrivilege 592 msiexec.exe Token: SeRestorePrivilege 592 msiexec.exe Token: SeTakeOwnershipPrivilege 592 msiexec.exe Token: SeRestorePrivilege 592 msiexec.exe Token: SeTakeOwnershipPrivilege 592 msiexec.exe Token: SeRestorePrivilege 592 msiexec.exe Token: SeTakeOwnershipPrivilege 592 msiexec.exe Token: SeRestorePrivilege 592 msiexec.exe Token: SeTakeOwnershipPrivilege 592 msiexec.exe Token: SeRestorePrivilege 592 msiexec.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
pid Process 3216 msiexec.exe 3216 msiexec.exe 4920 wpsupdate.exe 4920 wpsupdate.exe 4920 wpsupdate.exe 4920 wpsupdate.exe 4920 wpsupdate.exe -
Suspicious use of SendNotifyMessage 5 IoCs
pid Process 4920 wpsupdate.exe 4920 wpsupdate.exe 4920 wpsupdate.exe 4920 wpsupdate.exe 4920 wpsupdate.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 592 wrote to memory of 4876 592 msiexec.exe 94 PID 592 wrote to memory of 4876 592 msiexec.exe 94 PID 592 wrote to memory of 2488 592 msiexec.exe 96 PID 592 wrote to memory of 2488 592 msiexec.exe 96 PID 592 wrote to memory of 2488 592 msiexec.exe 96 PID 2488 wrote to memory of 4980 2488 MsiExec.exe 97 PID 2488 wrote to memory of 4980 2488 MsiExec.exe 97 PID 2488 wrote to memory of 4980 2488 MsiExec.exe 97 PID 2488 wrote to memory of 4584 2488 MsiExec.exe 99 PID 2488 wrote to memory of 4584 2488 MsiExec.exe 99 PID 2488 wrote to memory of 4584 2488 MsiExec.exe 99 PID 2488 wrote to memory of 4920 2488 MsiExec.exe 100 PID 2488 wrote to memory of 4920 2488 MsiExec.exe 100 PID 2488 wrote to memory of 4920 2488 MsiExec.exe 100 PID 2876 wrote to memory of 3428 2876 tTKiMHhNtqSk.exe 106 PID 2876 wrote to memory of 3428 2876 tTKiMHhNtqSk.exe 106 PID 2876 wrote to memory of 3428 2876 tTKiMHhNtqSk.exe 106 PID 3428 wrote to memory of 4500 3428 TpuaDVwAtO28.exe 107 PID 3428 wrote to memory of 4500 3428 TpuaDVwAtO28.exe 107 PID 3428 wrote to memory of 4500 3428 TpuaDVwAtO28.exe 107 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\wpsupdate.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3216
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:4876
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding FB49F41EC8C6223095B1044ACD591F85 E Global\MSI00002⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Program Files\GuidePortalRapid\FFGLWmUerQTM.exe"C:\Program Files\GuidePortalRapid\FFGLWmUerQTM.exe" x "C:\Program Files\GuidePortalRapid\wLzlKRWUCYQcfFYfQuoA" -o"C:\Program Files\GuidePortalRapid\" -pzKdAioNbrgsvnIwrocNm -y3⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4980
-
-
C:\Program Files\GuidePortalRapid\TpuaDVwAtO28.exe"C:\Program Files\GuidePortalRapid\TpuaDVwAtO28.exe" -number 123 -file file3 -mode mode3 -flag flag33⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4584
-
-
C:\Program Files\GuidePortalRapid\wpsupdate.exe"C:\Program Files\GuidePortalRapid\wpsupdate.exe"3⤵
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4920
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4108
-
C:\Program Files\GuidePortalRapid\tTKiMHhNtqSk.exe"C:\Program Files\GuidePortalRapid\tTKiMHhNtqSk.exe" install1⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:4696
-
C:\Program Files\GuidePortalRapid\tTKiMHhNtqSk.exe"C:\Program Files\GuidePortalRapid\tTKiMHhNtqSk.exe" start1⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:4708
-
C:\Program Files\GuidePortalRapid\tTKiMHhNtqSk.exe"C:\Program Files\GuidePortalRapid\tTKiMHhNtqSk.exe"1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Program Files\GuidePortalRapid\TpuaDVwAtO28.exe"C:\Program Files\GuidePortalRapid\TpuaDVwAtO28.exe" -number 264 -file file3 -mode mode3 -flag flag32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Program Files\GuidePortalRapid\TpuaDVwAtO28.exe"C:\Program Files\GuidePortalRapid\TpuaDVwAtO28.exe" -number 362 -file file3 -mode mode3 -flag flag33⤵
- Enumerates connected drives
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4500
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
1Installer Packages
1Pre-OS Boot
1Bootkit
1Defense Evasion
Pre-OS Boot
1Bootkit
1System Binary Proxy Execution
1Msiexec
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5ebdbf34a76f53822b620300de34289c6
SHA14b88c1e0c1edd755bcddc9a02eb1c62e999403f8
SHA256973168e73b6a2911276d3cc84a948388d0d5d452acc1ba72cd21253cd80d37a2
SHA512d5d4f4283b3bfa3030f0936406130ced708126eff9fa19306afe5dc6d261463a34ea2755721eb939431d0f9465fd9342f8407e260956e543063452b9ec2144f8
-
Filesize
574KB
MD542badc1d2f03a8b1e4875740d3d49336
SHA1cee178da1fb05f99af7a3547093122893bd1eb46
SHA256c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
SHA5126bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c
-
Filesize
3.1MB
MD5cab83f4897ba305ccf1b3811d0d46b46
SHA1f9b0a859ccfd545ca4794d2e37f0fe92e7469c88
SHA25645265ec03d03272fbda8eca896bdc2f72f8ac0ab862d41f7a97cd823525c0a9c
SHA512e018957a52075c203d48a59b2e049ed0d6980fefe467bd1b49bdd2a9b7aa5efb2d0d84a2b9e24f9b3ce680d424da137a2a7c3bc14f060960fba4cfbd900431ac
-
Filesize
832KB
MD5d305d506c0095df8af223ac7d91ca327
SHA1679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a
SHA256923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66
SHA51294d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796
-
Filesize
270B
MD586954539197e37d839c4bf6ee5f14eee
SHA164a0026808e4c514732134d633fa1f5ccd61a5e3
SHA256e658c18d1775c3b73ea0a9c38be454606b43ea37844d9a298a11fd9a6275a809
SHA512aa95d71742efd8872731b02b12ca7c8420ee501416ac1f47d36ad75984ac9481d8efe86b13db796344350f78f2c645f256c2938b78041e0e45b66d925faf4b06
-
Filesize
428B
MD53e2824bf0f8d848a1c8f4b31550d0f60
SHA1fbdbd7db6dce217b9ec5c56a34ef96f3c50e2df6
SHA256ca047f0378bef9bd597f55571a455b614d52b6b5bf39c2a1afab804f908c37a9
SHA512e7e703bc694ae549b51f3b8abdafce138397a9dd321a03d48e8f5611152f4283a411414f308980f7412431268d4e8c89579a4fd977909a4ffb39b3a705fff1f5
-
Filesize
596B
MD50369ec65c4bd5583e2042f2ea646373e
SHA167ea06471d09150351dd6dd6136a021a8ead275f
SHA2567d2bc7edee79039b7bb9ae26e663e61e1558d50ed8f2c127b4581d3255b81a7e
SHA512f1f5b1a31bdac022917f521ac159056b2e6e5b68cfca7fbb7e38e1cae05594d1e68132dd2f064c923c463bd61e8e2b4a45a931bb19cfe874e90371f8117279f1
-
Filesize
438B
MD586de53b90829d5a005483f28e965d95a
SHA1509de49e32ecf9a9dbccca19ba166dd8207079c3
SHA2566a06a89acd0447279a72a75489294530c1634cff9287b056ee23993b5fcbc86d
SHA512446a5caf6c3ee30ae037622af8d3be24f3b162f133ea84b8f3e2ea18d89479a9d049ac6fb65825af011e1b99e2de8bea49fc2186554ccda987138f3871f1b0f9
-
Filesize
1.9MB
MD545dcc34b4184b6b0900686a5b1337e7d
SHA1fcc2985d00fe937abca356d114ecf050a8853aed
SHA25683cda810e9e4ae8bc95bd820e27dc26a86ef38f388164ba0d807bdffc4880346
SHA512527eabefecf23c0a6e4bee2b52cb3dfaa4a7ff36c99808cf82e99e691c3a4c5b1f905fb0c0edbebe9e241888db37f73861a7ad798f8667202eb99d2e6a66777d
-
Filesize
6.0MB
MD557dadd6a929f64c2b1efe2d52c1c4985
SHA1962cb227f81f885f23826c3e040aa9dbc97659cf
SHA256996b5d59cce7955b4374bd00d83c422d3a1d9ffebba59c66074c37ab28cfaeb5
SHA5123f64c35e72698ea6a7e708a4367277f3ab62c27f0652e0c55bab6e02239ee37c4f0a21503c0688301fb77bbf8e59e3c5c8aa2df8d62a4ab8a9b9cdf6f0a775cf
-
Filesize
1KB
MD5122cf3c4f3452a55a92edee78316e071
SHA1f2caa36d483076c92d17224cf92e260516b3cbbf
SHA25642f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0
SHA512c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c
-
Filesize
26.2MB
MD56172dbd24d1ccc413437ee5d9f38a750
SHA14c24165e5d375ecaf5b5c49d831e48f70833bcfa
SHA2568e599267e624e8865dc1377d533cbbed11a53d18cb3de3946e62e5887b06b641
SHA512362432449d23d40fa0d2ccf27e608e063b083d23da9fa1c3ad10cf3772763421859fa91bf2c3bbd257f1a8e8ef723930dd758d009ff0cfbaf4be96316dd0fc0d
-
Filesize
23.7MB
MD57581109c71116fda40eb914cce8e0296
SHA1aea122f42c8da2833cdaac641e9223a57d4dc3af
SHA25648c7175dd481f71301536356a537755340c3585ecc88e8057e926f603930f36b
SHA5124eb81202c15100d370d55e1a508da58f4dce55a537b1dcde7e8945daca97342c62b4f695f9c35800c20abcba802adea3d11531bd9c34ab5da42815d123d4901f
-
\??\Volume{fa3589b5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5a102afb-5d3a-4294-bc25-bf23d3c2afad}_OnDiskSnapshotProp
Filesize6KB
MD564c3164416e37f03d30e5234e17037e6
SHA1760f1c53128fc9b54992114ed75eb581953c05bc
SHA256b488c3d280b3c0193ca0051bcdfb9acbf5df107b176aadc049c06c13b6873c0d
SHA512c0545bbe671936482eff45b89a8b586275aead518404dbbba06ddae9e210edf5174b1b553ebc72205ceceb639e0901727f4db98b7bc22219c96ef74343190326